The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-223691	RACF-ES-000430	SV-223691r533199_rule		Medium

Description
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges.

STIG	Date
IBM z/OS RACF Security Technical Implementation Guide	2020-10-09

Details

Check Text ( C-25364r514761_chk )
From the ISPF Command Shell enter: Search all Class(Facility) MASK(ieasymup) For each entity found enter: RL facility If RACF resources are defined with a default access of NONE, this is not a finding. If RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding. If RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding.

Check Text ( C-25364r514761_chk )

From the ISPF Command Shell enter:
Search all Class(Facility) MASK(ieasymup)

For each entity found enter:
RL facility

If RACF resources are defined with a default access of NONE, this is not a finding.

If RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding.

If RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding.

Fix Text (F-25352r514762_fix)
Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed. Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access. The following commands are provided as a sample for implementing resource controls: rdef facility ieasymup.* uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') rdef facility ieasymup.symbolname uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') pe ieasymup.symbolname cl(facility) id(pe ieasymup.symbolname cl(facility) id(pe ieasymup.symbolname cl(facility) id(

Fix Text (F-25352r514762_fix)

Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed.

Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access.

The following commands are provided as a sample for implementing resource controls:

rdef facility ieasymup.* uacc(none) owner(admin) -
audit(all(read)) -
data('protected per acp00350')
rdef facility ieasymup.symbolname uacc(none) owner(admin) -
audit(all(read)) -
data('protected per acp00350')

pe ieasymup.symbolname cl(facility) id(pe ieasymup.symbolname cl(facility) id(pe ieasymup.symbolname cl(facility) id(